Last Updated on March 10, 2022
CMMC 2.0 takes the US defense industrial base (DIB) “back to the future” by refocusing cybersecurity and compliance efforts on NIST 800-171. This standard has been the target all along for firms that handle controlled unclassified information (CUI) since the DFARS 7012 clause first appeared in US Department of Defense (DoD) contracts in 2016, notwithstanding the brief tenure of CMMC 1.0.
But what does CMMC 2.0 require from DIB orgs to prove or attest to compliance with NIST 800-171? This is what has recently changed and has yet to be fully clarified and codified via the CFR 32 rulemaking process.
To answer the hot questions on how defense suppliers should prepare for CMMC 2.0 compliance today, Andrea Willis, Senior Product Manager at Exostar, joined a recent episode of The Virtual CISO Podcast. Hosting the show is John Verry, Pivot Point Security’s CISO and Managing Partner.
CMMC 2.0 compliance at Level 1
For DIB companies that only handle federal contract information (FCI) but not CUI, the compliance target is the same for CMMC 2.0 as for CMMC 1.0—it’s the 17 “foundational” controls based on FAR clause 52.204-21, Basic Safeguarding of Covered Contractor Information Systems.
What’s different is that CMMC 2.0 takes the requirement for a third-party audit/certification off the table for CMMC Level 1 compliance. Instead, you’ll need to make a yearly self-attestation in the form of an affirmation letter signed by a senior executive.
This will save orgs the cost of the initial audit and a series of recertification audits. But an executive’s declaration—subject to False Claims Act sanctions—puts serious skin in the game and may spur some businesses to perform an internal audit to back up their attestation.
CMMC 2.0 compliance at Level 2
DoD suppliers that handle CUI will need to comply with CMMC Level 2, which centers on the 110 controls in NIST 800-171. But who will self-attest and who will be audited?
“For the Level 2s, it’s going to become interesting because there’s going to be some subset group—we don’t yet know who—where a senior executive is going to have to say, ‘Yes, I sign off on where we are with NIST 800-171 and CMMC 2.0,’” Andrea relates. “So that executive is on the line if they are falsely [or incorrectly] reporting their score.”
Andrea continues: “But then there is that other group of Level 2s who are going to be audited by a third party, a C3PAO, and are going to then have all the verifications and checks that they’ve said their score is 100 and here are the POAMs and the dates. So, they’re going to have a third party saying, ‘Yes, they actually are where they say they are.’ This gives additional weight to their attestation.”
Being audited has its advantages
Both John and Andrea are already seeing DIB orgs angling for third-party verification of their NIST 800-171 compliance status because of the advantages this offers in relation to the marketplace and to current contracts.
“I think we’re going to see organizations that maybe didn’t need to be audited actually getting audits because they know that way they can get a higher-level contract,” observes Andrea. “Because the government is going to say, ‘Great, if you’re going to give me that information and verify that you’re compliant, I’ll take it.’ And that will actually probably put them in a little better spot?”
“I think you’re reading the tea leaves right in that there will be some people that are going to want to get the audit,” assents John. “Some of our clients in the DIB are incredibly risk-averse and are really worried that they might have a breach and that might impact their business.”
“And then on the other side of the fence, we’ve got a lot of DIB clients that believe it would be a strategic advantage, a competitive differentiator, to have a CMMC 2.0 certification ahead of their key competitors,” John comments. “We’re even seeing five or six of our current clients that are actually going to become CMMC certified prior to the rulemaking. They’re engaging the C3PAOs now, and they want to get that certification because they think it’ll be an advantage.”
Either way, as Andrea suggests, “It’s going to be interesting once the final rule is done and those first contracts come out with that ‘three-months-ish’ grace period before those contracts have it… The flood and fury of organizations that are going to get audited at that point…”
To hear the complete podcast episode with Andrea Willis from Exostar, click here.
Ready for a more in-depth discussion of CMMC 2.0? You’ll appreciate the insightful guidance in this podcast: CMMC 2.0 is Here! Find Out What It Really Means for DIB and Non-DIB USG Contractors